How to Generate Certificate Signing Request on FileMaker Server 15 and Later

FileMaker Server

15.x

If security is important to your operations, all machines running FileMaker Server should have a custom SSL certificate. The standard FileMaker SSL certificate installed by default is available for test purposes only. Follow the process in this article to obtain a new certificate or replace an expired certificate.

Purchase a Fully Qualified Domain Name (FQDN)

Your Fully Qualified Domain Name (FQDN) is the public-facing address that you would like to use to access FileMaker Server. To obtain a FQDN, you must register your unique domain name with a DNS registrar who keeps the domain in sync with your server's IP address. Please keep the following points in mind:

If you already own a domain, you may instead purchase a subdomain (such as subdomain.currentdomain.com) instead of getting an entirely new domain.

For multi-machine deployments, each machine should have its own domain or subdomain. For example, server1.domain.com and server2.domain.com.

When you purchase a new domain, you may recieve a new email account through the DNS registrar that you can use to validate that you are the owner of the domain.

Create a CSR for the domain name

A create a certificate signing request (CSR) is a hash file containing information about your domain, including the domain name, company, etc. When purchasing a SSL certificate, the CSR tells the Certificate Authority what domain to issue the certificate for.

Specify your domain name, company name, and a private key password. For wildcard certificates, specify the domain name using an asterisk *.<yourdomain.com> instead of subdomain.currentdomain.com. Wildcard certificates are recommended for multi-machine deployments.

Click Next. This will create the following files in /FileMaker Server/CStore/ :

Cick Download to save a copy of serverRequest.pem to your Downloads folder.

Purchase a SSL certificate

Select a SSL certificate to purchase from a Certificate Authority (CA).

Paste or upload the contents of your CSR: Open serverRequest.pem in a text editor and copy the entire contents into the space provided on the CAs website. (Including -Begin Certificate Request- and -End Certificate Request-)

Provide the servers FQDN.

Select a signature hash algorithm (use SHA-2 with SHA-1 root).

Select "Other" as the server software used to generate the CSR.

Validate by email that you are the owner of the domain name specified in the CSR.

Multi-machine deployments: purchase a wildcard certificate that can be imported on all machines.

Import the certificate into FileMaker Server

After the purchase, you will recieve an email from the CA containing your server certificate (matching your domain name) and required intermediate certificates. All certificates should be in Base64 PEM format. Common extensions are .pem, .crt, or .cer.

To import the certificate:

Go to the Admin Console > Database Server > Security

Click on Import Certificate.

Specify the following:

server certificate: its file name will match your domain name

intermediate certificate: comes with server certificate

private key file: serverKey.pem located in /FileMaker Server/CStore/

private key password : specified during CSR creation

Click Save at the bottom of the Admin Console window.

Restart FileMaker Server.

NOTE: Certificates requested in FileMaker Server 14 or earlier using "fmsadmin certificate create" cannot be imported into FileMaker Server 15 and higher. Use the process in this article to create a new CSR.